Security Error when running from customer site

[sderrick]

Using a self signed certificate.
Java 8_45
Firefox 38.0

I can deploy the applet to my localhost by putting the following in my exception site list and it runs fine. I do get the Security dialog about an untrusted applet.

http://localhost:8080/editor-1/

I'm trying to deploy to http://www.mbepapers.org:8080/editor-1/

Obviously I'm using a tomcat server for both deployments, the editor applet is talking to a JSP server webapp and visa versa using local storage on the clients.

I have both in the exception site list

http://mbepapers.org:8080/editor-1/
http://www.mbepapers.org:8080.editor-1/

Its a very long output in the java console at level 5 output. All the jars pass security except my editor, which originally was oxygen-sample-applet-1.0.....

cache: Cancel delay cleanup: URL: http://www.mbepapers.org:8080/editor-1/ ... APSHOT.jar | /home/scott/.java/deployment/cache/6.0/27/4ee9c91b-1794b401.idx
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@119d10cc: 2
java.lang.SecurityException: JAR manifest application-library-allowable-codebase mismatch for http://www.mbepapers.org:8080/editor-1/ ... APSHOT.jar
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
basic: null

later on in the console output here is where it denies running the applet.

preloader: Delivering: ErrorEvent[url=http://www.mbepapers.org:8080/editor-1/mbep.jnlp label=The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel. cause=The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
preloader: Enqueue: com.sun.javaws.progress.PreloaderDelegate$4@644285aa
basic: exception: The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel..
ExitException[ 3]com.sun.deploy.security.BlockedException: The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
preloader: Preloader shutdown after ErrorEvent
at java.lang.Thread.run(Thread.java:745)
preloader: Stop progressCheck thread queue.size()=0
Ignored exception: ExitException[ 3]com.sun.deploy.security.BlockedException: The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
ui: Show default error panel

My default properties for the jnlp section

Code: Select all

#  JNLP

#

#

# The main class to be set in the JNLP file.

mainclass=myGroup.mbepEditorApplet

# The code base to be set in the JNLP file.

#codebase=http://localhost:8080/editor-1/

codebase=http://www.mbepapers.org:8080/editor-1/

My generated mbep.jnlp file truncated in the middle for brevity

Code: Select all

<?xml version="1.0" encoding="UTF-8"?><jnlp spec="1.0+" codebase="http://www.mbepapers.org:8080/editor-1/" href="http://www.mbepapers.org:8080/editor-1/mbep.jnlp">

  <!-- The tokens marked with @@ and the DEPENDENCIES element are replaced by Ant/Maven with the correct values-->

  <information>

        <title>MBEP Editor Applet</title>

        <vendor>Mary Baker Eddy Library</vendor>

        <homepage href="http://www.mbepapers.org/"/>

        <description>MBEP Editor Applet</description>

        <description kind="short">Editor</description>

    </information>

    <security>

  		<all-permissions/>

	</security>

    <resources>

        <!-- Application Resources -->

        <j2se java-vm-args="-Xmx256m -XX:MaxPermSize=80m" version="1.6+"/>

    	<jar href="lib/mbep-editor-applet-1.0-SNAPSHOT.jar" main="true"/>

<jar href="lib/batik-anim-1.7.jar"/>

<jar href="lib/oxygen-saxon9he-17.0.0.jar"/>

.......

<jar href="lib/oxygen-xercesImpl-17.0.0.jar"/>

    </resources>    

    

    <applet-desc name="MBEP-Editor-Applet" main-class="myGroup.mbepEditorApplet" width="800" height="600">

     </applet-desc>

     

     <update check="always"/>

</jnlp>

how I call the applet

Code: Select all

                    <applet code="myGroup.mbepEditorApplet" width="800" height="600">

                        <param name="java_arguments" value="-Xmx256m -XX:MaxPermSize=80m"/>

                        <param name="java_version" value="1.6+" />

                        <param name="jnlp_href" value="mbep.jnlp" />

                        <param name="AppletID" value="ApplId" />

                        <param name="classloader_cache" value="false" />

                        <param name="separate_jvm" value="true" /> 

                        <!--<param name="addHelperViews" value="true"/>

                        Uncomment the following line for full debug 

                        <param name="loggerLevel" value="debug"/> -->

                    </applet>

I've tried putting the html file name and the jnlp file name in the exception site list but that made no difference.

What am I doing wrong?

[sderrick]

I certainly hope there is a simple answer. basically what I'm doing wrong.. Because this is a show stopper.

[Radu]

Hi Scott,

This particular error:

Code: Select all

java.lang.SecurityException: JAR manifest application-library-allowable-codebase mismatch for http://www.mbepapers.org:8080/editor-1/ ... APSHOT.jar

would mean that in the main applet JAR library in the Manifest.mf the application-library-allowable-codebase property does not match the code base from where you deploy the applet.

Regards,
Radu

[sderrick]

Radu,
I figured it was something like that.

here is the top portion of the MANIFEST.MF in mbep-editor-applet-1.0-SNAPSHOT.jar, the offending one.

Code: Select all

Manifest-Version: 1.0

Ant-Version: Apache Ant 1.8.2

Application-Name: MBEP Editor Applet

Archiver-Version: Plexus Archiver

Built-By: scott

Permissions: all-permissions

Caller-Allowable-Codebase: http://www.mbepapers.org:8080/editor-1/

Codebase: *

Application-Library-Allowable-Codebase: http://www.mbepapers.org:8080/

 editor-1/

Class-Path: 

Created-By: Apache Maven

Build-Jdk: 1.8.0_45



Name: myGroup/mbepEditor$19$1.class

SHA-256-Digest: JLv3mv762SNASH2bfggqAWN+bGRiRrHZ3VIq8FJmlVQ=

The odd thing is it looks like there is a c/r and a space between "...8080/" and "editor-1/", which I think would be bad?

I checked some of the other jars and they all look the same?

the only place editor-1 is defined is in default.properties

Code: Select all

#  JNLP

#

#

# The main class to be set in the JNLP file.

mainclass=myGroup.mbepEditorApplet

# The code base to be set in the JNLP file.

#codebase=http://localhost:8080/editor-1/

codebase=http://www.mbepapers.org:8080/editor-1/

no c/r or space there?

and I assume the MANIFEST.MF is made from the template build-trusted.xml

Code: Select all

<project default="addTrustedLibraries">

	<target name="addTrustedLibraryProperty">

		<jar file="${jarFile}" update="true">

			<manifest>

				<!--Commented out, gives warning with Java 1.7.45 -->

				<!--<attribute name="Trusted-Library" value="true"/> -->

				<!--EXM-27848 Remove warnings, see: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html -->

				<attribute name="Application-Name" value="MBEP Editor Applet" />

				<attribute name="Permissions" value="all-permissions" />

				<attribute name="Codebase" value="*" />

				<!-- Remove possible dependencies to other jars (not covered by Maven). Avoids unnecessary HTTP requests. -->

				<attribute name="Class-Path" value="" />

				<!--EXM-28568 Avoid giving warning with Java 1.7.45 -->

				<attribute name="Application-Library-Allowable-Codebase" value="${codebase}" />

				<attribute name="Caller-Allowable-Codebase" value="${codebase}" />

			</manifest>

		</jar>

	</target>

	<target name="addTrustedLibraries" xmlns:ac="antlib:net.sf.antcontrib">

		<echo>Processing all jars from: ${project.build.directory}/jnlp/lib</echo>

		<ac:foreach target="addTrustedLibraryProperty" param="jarFile">

			<path>

				<fileset dir="${project.build.directory}/jnlp/lib" includes="**/*.jar, **/*.zip" />

			</path>

		</ac:foreach>

	</target>





</project>

which uses the same ${codebase} variable the same for for both codebase attributes, yet they are not identical in the output.

So why the c/r and space and does it matter?

[sderrick]

I see from the manifest spec there is a line length limit

Line length:

No line may be longer than 72 bytes (not characters), in its UTF8-encoded form. If a value would make the initial line longer than this, it should be continued on extra lines (each starting with a single SPACE).

So the broken line looks to be legit? Though it sure is suspicious?

[sderrick]

Here is the top portion of the MANEFEST.MF built to run on localhost, which runs fine..

Code: Select all

Manifest-Version: 1.0

Ant-Version: Apache Ant 1.8.2

Application-Name: MBEP Editor Applet

Archiver-Version: Plexus Archiver

Built-By: scott

Permissions: all-permissions

Caller-Allowable-Codebase: http://localhost:8080/editor-1/

Codebase: *

Application-Library-Allowable-Codebase: http://localhost:8080/editor-1

 /

Class-Path: 

Created-By: Apache Maven

Build-Jdk: 1.8.0_45



Name: myGroup/mbepEditor$19$1.class

SHA-256-Digest: +uBoapVWOVzzT4+5M7u7yQvtH+ZwcPVZOR+2LwXdq0E=

another broken line with a space per the spec.

[Radu]

Hi Scott,

Indeed the line in the properties file is automatically broken if it overflows a number of characters. So that should be OK.
I'm not really sure what the problem is, just for tests could you modify in the build-trusted.xml the values for
Caller-Allowable-Codebase and Application-Library-Allowable-Codebase to be the wildcard * ?
That will probably issue an extra warning at some point but the applet should work.

Regards,
Radu

[sderrick]

Radu,

that did it! There weren’t any additional or changed warnings than I normally get with a self signed applet.

My changes below

Code: Select all

				<!--EXM-28568 Avoid giving warning with Java 1.7.45 

				<attribute name="Application-Library-Allowable-Codebase" value="${codebase}" />

				<attribute name="Caller-Allowable-Codebase" value="${codebase}" /> -->

				<attribute name="Application-Library-Allowable-Codebase" value="*" />

				<attribute name="Caller-Allowable-Codebase" value="*" /> 

the original settings have been commented out with <!-- .... -->

Does this setting allow a less secure environment?

The jnlp still has the codebase set to http://www.mbepapers.org:8080/editor-1/

Scott

[Radu]

Hi Scott,

You can see what each of those manifest parameters means here:

http://docs.oracle.com/javase/7/docs/te ... ifest.html

Regards,
Radu

[sderrick]

Radu,

that says says

Application-Library-Allowable-Codebase
...This attribute is used to determine what is listed in the Location field for the security prompt that is shown to users when the JAR file for your RIA is in a different location than the JNLP file or HTML page that starts your RIA...

The way the applet is set up the jnlp file is in the jnlp folder and the jars are in jnlp/lib folder.

Seems like "lib" should be added to the attribute, no?

The maven script is using the same address for codebase as Application-Library-Allowable-Codebase

Scott

[Radu]

Hi Scott,

Basically * means anything so you can use that.
I'm not sure why setting the value for it does not work for you, in the applet demo we have on our website in the manifest.mf we also have a value like:

Code: Select all

Application-Library-Allowable-Codebase: https://www.oxygenxml.com/demo

 /AuthorDemoApplet/

and it works for us. But our applet is digitally signed with a valid certificate so there might be also a difference when running it with a self signed certificate.

Regards,
Radu

[sderrick]

My client is in the process of purchasing the floating license and auth cert. After I get that set up I may put ${codebase} path back in the attribute to see.

I'd rather have the location for the applet locked down.

Scott